WAP Public Key Infrastructure CSCI 5939.02 – CSCI 5939.02 – Independent Study Independent Study Fall 2002 Fall 2002 Jaleel Syed Jaleel Syed Presentation No 5 Presentation No 5
Dec 19, 2015
WAP Public Key Infrastructure
CSCI 5939.02 – CSCI 5939.02 – Independent StudyIndependent Study
Fall 2002Fall 2002
Jaleel SyedJaleel Syed
Presentation No 5Presentation No 5
Cryptography
Encryption: Transforming a message containing critical data into a cipher text.
Decryption: Decoding encoded data and reproducing the original message.
Types Symmetric cryptosystems: encoding and decoding
done using the same secret key.• Highly insecure.• Faster when compared to asymmetric crypto.• Algorithms such as Data Encryption Standard(DES) are
used both for encryption and decryption. Asymmetric cryptosystems. Encoding done using
public key and decoding done using private key.• Secure.• Slower computing speed.• Algorithms such as RSA, ECDSA etc. Are used.
Example
Hashing
It is method to obtain a digital fingerprint(hash) of an original message.
This is used to test the integrity but not to reproduce the message.
Hashing example(Sender)..
Digital Signature Associated with message encryption
Hashing example(Receiver)..
Receiving side
What is Public Key Infrastructure ?
It is a system which enables users to securely and privately exchange data and money through the use of public and private key pair.
It provides a digital certificate that can identify an individual.
It provides directory services(repository) that can store or cancel certificates when necessary.
Components of wired PKI
Certificate Authority• Issues/updates/cancels the digital certificates to the
requestor.
Registration Authority• Authenticates the requestor
Repository• A directory service that stores digital certificates.
Subscriber Relying party
Components of wired PKI contd..
WAP PKI Model
Types of Authentication WTLS Class 1
WAP Device and WAP Gateway are not authenticated.
WTLS Class 2 It provides the capability for the WAP Device to authenticate the
identity of the WAP Gateway.
SignText It provides a mechanism for the client device to create a digital
signature of text sent to it. It provides the capability for the WAP device to authenticate the
identity of the WAP gateway as well as for the WAP gateway to authenticate the identity of the WAP device.
WTLS Class 3 Similar to signText, except that, in this the client’s private key is used
to sign a “challenge” from the server.
WTLS Class 1
Security limitations of WAP
WTLS Class 2
Two Phase security modelWAP Client communicates to the origin
server(content server) via the gateway.
End to End Security modelWAP client communicates with a WAP
Server(WAP gateway + Origin server).
WTLS Class 2 contd..
Two Phase Security Model
WTLS Class 2 contd..1. The WAP Gateway generates a key pair- public key &
private key.2. WAP Gateway sends certificate request to WPKI Portal.3. WPKI Portal confirms ID and forwards request to CA.4. CA sends Gateway Public Certificate to WAP Gateway.5. CA populates online repository with WAP Gateway
certificate.6. WTLS session established between the device and the
gateway.7. SSL/TSL Session established between the gateway and
the server.
WTLS Class 2 contd..
End to End Security Model
WTLS Class 2 contd..
1. The WAP Server generates a key pair- public key & private key.
2. WAP Server sends certificate request to WPKI portal.
3. WPKI portal confirms ID and forwards request to CA.
4. CA sends Server Public certificate to WAP Server
5. WTLS session established between the WAP server and the WAP device.
SignText
Message Signing
SignText contd..1. WAP device requests certificate and sends certificate
URL to WAP device.2. WPKI Portal confirms ID and passes request to CA.3. CA generates User Certificate and sends Certificate
URL(or entire certificate) to the WAP device.4. CA populates the database with User Public key
certificate.5. User signs transaction at the WAP device and sends
transaction, signature and certificate URL(or certificate) to Origin Server.
SignText contd..
6. Origin Server uses certificate URL to retrieve user certificate from database(if not already in possession of certificate).
7. CA database sends user certificate to the Origin Server(if necessary).
8. Origin server verifies the signed transaction sent from the WAP device.
WTLS Class 3
Similar to signText, except that, in this the client’s private key is used to sign a challenge from the server.
Used for Non-repudiation.
Digital Certificate.
Name of the certificate holder. The certificate holder’s public key. Certification Authority A Serial Number Validity period
Types of Digital certificates
Client Certificate.– Authenticates the client.
WAP Server WTLS Certificate.– It authenticates the identity of the WAP server– Encrypt information for server.
CA Certificate.– Authenticates the Certification Authority
Overview
WAP PKI Operations
Trusted CA information Handling. WTLS Server Certificate Handling. Client Registration. Client Certificate URLs.
Trusted CA Information Handling This operation verifies whether the CA that
issued the certificate, can be trusted or not. The CA information should be distributed
to each client. The CA.
• WSP(wireless session protocol): URL is distributed.
• Provisioning: CA information is downloaded on the client.
Trusted CA information Handling contd.. The CA information is sent to the client by.
• Out of band hash verification method: the CA certificate is hashed and sent through an in-band channel whereas the “display” form of hash is sent in an out of band channel(phone or mail).
• Signature verification method: if a new CA has issued the certificate, then it can only be trusted if it is accompanied by the cert of a CA already trusted by the client.
The CA updates the CA certificate the client has by sending a key roll-over message to the client.
WTLS Server Certificate handling The WAP server sends a certification
request to a CA. In response, the CA may.
• Issue a long-lived WTLS certificate.• Or issue a sequence of short-lived WTLS
certificates.o Used to check for revocation of servers.o Equivalent to certificate revocation lists(CRLs) in
wired PKIo Typical lifetime is 48 hrs.
Client Registration
Client generates a public – private key pair. Finds the PKI portal via manual browsing
or through a URL contained in WML page. The PKI Portal checks if the requestor has
the corresponding private key to the given public key(Proof of Possession).
This is done by signing a “challenge” provided by the PKI Portal.
Client Certificate URLs
The client sends its certificate URL to the server, which it uses to get the certificate.
It is preferable to pass a link to client certificate rather than passing the whole client certificates.
Protocols used HTTP, LDAP or FTP.
Example
Example
Future
The WAP Forum is working on a number of significant new specifications:
Transport layer end-to-end security.
WTLS session from the client all the way to the proxy in the content server's secure domain
Wireless Interface Module
References
Introduction to PKI
Wireless PKI model
Digital certificates and wireless transport layer security
Analysis of subscriber certificates concept
Future of WAP and beyond